>> There's been a discussion recently on the OSI mailing lists of including
>> the source code to GPLed programs as a mountable file system executable
>> inside the ELF image.  The general feeling was that people wouldn't be
>> inclined to trust such tools, since they would be only rarely used.
>
> That's an interesting idea, although I wouldn't trust it without a way to
> verify that the executable code matched the source code.

You'd have to include the source code of the compiler and build tools
used to compile the executable. Then the recipient could verify the
source code by compiling the compiler and using the compiled compiler to
compile the application program to find out whether the binary matches.
It probably wouldn't match due to system-specific differences, so the
image would need to include the build environment for the compiler...
soon we're at <http://bootstrappable.org/> :)

On a more serious note, practically all security is based on a
web-of-trust model. Even physical security - if you put things in a safe
you have to trust the people who built the safe, etc. It's not practical
to do much real verification by yourself - just cursory inspection.
Cryptographic hashes are simple and effective, but again you have to
trust whoever sent the hash.

Aside from that, it would be interesting to find out the size of the
`gcc` executable or the Linux kernel with the full source code included.